06-16-2007 12:17 PM
We have a easy vpn connection between a asa5505 (Client) and a pix515 (server) which works fine except the dhcp-relay. The problem is that the dhcp request from the client behind the asa is blocked on the pix because the asa sends the request with the outside interface ip address. The asa get's the outside ip address dynamically from the ISP over PPPoE. If the dhcp request would be send with the inside interface ip address it would work. I didn't find a way to solve the problem. Is it even possible to solve the problem the way I want it?
Thanks
Gerhard
06-18-2007 04:27 AM
Hi Gerhard,
Hope you have configured NAT/PAT for the inside host based on outside interface.
why can't you remove NAT/PAT configuration for the inside hosts (nat excemtion) so that your traffic will be passed with original ip address inside the tunnel.
you can create a policy nat that is , you can use NAT/PAT when you access internet and disable nat/pat while access VPN.
--Jaffer
06-18-2007 04:52 AM
Hi Jaffer,
thanks for your answer. NAT is configured on the ASA. On the PIX is a policy that forces the ASA to send the whole traffic thru the tunnel.
NAT on the ASA:
global(inside)1 interface
global(outside)1 interface
nat(inside)1 0.0.0.0 0.0.0.0
For some reasons that I can't understand, the asa's dhcp-relay agent uses the outside IP address which is assigned dynamically from the ISP.
dhcp-relay settings:
dhcprelay server 172.16.11.2 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
Regards
Gerhard
06-18-2007 08:21 PM
Gerhard,
Your ASA will use outside ip address for all out going packets b'coz NAT has been configured in that way.
I'm going to change the nat in such a way that when a packet going to your remote-end(pix), it will have the same ip (disabling nat) and when a packet leaves to other destinations it will get nated.
Here is the NAT config on ASA:
--------------------------------
access-list 10 deny
eccess-list 10 permit any any
nat(inside) 1 access-list 10
global(outside) 1 interface.
I am not sure why are your using the command
global(inside) 1 interface.Remove this command if yor are performing destination NAT. For doing this also we need atleast one nat(outside) command so,remove this.
Plese chech it out with this nat config. If it still not works can you provide me full config file of ASA (excluding password's) and debug info of dhcp-relay ?
--Jaffer
06-18-2007 10:19 PM
Hi Gerhard,
This is the correct behavior of the ASA for DHCP relay. the ASA will use the egress interface IP address weather you configure NATing or not, this by design on the ASA and PIX code, unfortunately there is no method of forcing the ASA to change the IP address used to relay the DHCP request.
The only way to work around this issue is to include the IP address of the outside interface through the tunnel when communicating with the DHCP server.
I hope you can locate a static IP address for the ASA from your ISP to be able to get this working.
Rgrds,
Shadi`
06-18-2007 11:14 PM
thanks Shadi,
that's what I suspected. It's not a bug it's by design :-)
I have still one idea and if it fails I follow your recommendation and contact my ISP.
I'll try it on the pix with downloadable acl and per-user_override on the access-group for "outside_access-in".
With that downloadable acl on the acs I think it works:
permit tcp any host SRV-DC2 eq 67
permit udp any host SRV-DC2 eq 67
I hope that the replay from the dhcp server on port 68 works thru stateful inspection.
regards
Gerhard
Also thanks to Jaffer
06-19-2007 08:52 AM
it's really annoying. You want to use tftp -> asa uses outside IP. You want to use CiscoWorks RMA for sync archive -> for some reasons I don't know the outside IP of the asa is used and I didn't definitely configure the outside IP in Works.
For an intelligent use of the asa you need a static IP address on the outside interface. But that's not common for ADSL connections in Germany. You have to pay some euro's more for it per month.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide